Chatroulette perverts' privates may not be so private after all

Security researchers reveal ways that willy-waving Chatroulette users might be leaving themselves open to much more than accusations of just being dirty perverts as privacy attack scenarios are explored.

If you have ever been tempted, like so many male Chatroulette users, to show complete strangers the contents of your trousers new security research might persuade you not to join in this offensive nonsense. Video chat services such as Chatroulette enable random strangers to get virtually connected, but the lure of perceived anonymity and a somewhat ironic assumption of privacy has meant that it has attracted a somewhat unsavoury crowd of what a few years ago we would have called flashers or perhaps more correctly perverts.

I have tried using Chatroulette myself, and every single time have been greeted with the sight of some bloke playing with his erect penis within seconds or minutes at the longest. Word of this kind of behaviour quickly spreads and, when coupled with an apparent inability of the site operators to prevent it, attracts more willy-waving perverts until things inevitably reach the point where people use the service just to look at these members, if you'll excuse the pun.

A group of computer security researchers based at the University of Colorado, Boulder, USA and McGill University, Montreal, Canada have been exploring the security and privacy implications of using online video chat service. The report ' Intrusions into Privacy in Video Chat Environments: Attacks and Countermeasures ' reveals that membership of Chatroulette has grown by some 500% since 2009 and has started to address privacy issues. However, it also looked at the privacy problems faced by this generic class of video chat service and identified "three specific classes of attack on such systems" and proposes countermeasures to address the threats.

The first and most direct attack against a video chat environment is labelled as the Enhanced De-anonymization Attack which seeks to identify users' geographical location. The researchers state that Chatroulette uses the Adobe Stratus platform in order to reduce bandwidth costs associated with video services. Chatroulette "handles the behind the scenes handshakes involved in making two clients connect, but the actual connection is a direct, peer-to-peer link between the two users." The researchers show how an attacker could easily get the source IP address from a packet header during the exchange of data between peers, and then use geo-IP mapping services to home in on an approximate user location.

Secondly, there's the phishing approach during which an attacker takes the guise of someone likely to be found attractive in a video-chat scenario in order to solicit sensitive data. You might call this the virtual Mata Hari attack, or perhaps the Anna Chapman attack these days I guess. The researchers suggest that instead of using email, as per a traditional phishing attack, it is possible to use a pre-prepared video to "lure unsuspecting individuals into a conversation" where details of social network accounts and other personal data could be extracted.

Finally, the report looks at a Man-in-the-Middle (MIM) attack scenario where a supposedly 'private' video interaction directly between two participants could be subject to eavesdropping. By combining this with the de-anonymization tactic it is possible, according to the researchers, to determine the identities of the people involved who could then be blackmailed using video capture footage. Especially if they have been engaged in the kind of typical mutual masturbation exercise so popular amongst users of these services.

Worryingly for the more dubious of Chatroulette users, the researchers warn that they have only "just begun to scratch the surface of interesting attacks" on video chat services and that "current security and privacy issues of these systems have been neglected."

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.

Good share, you topic is very great and useful for us...thank you. I just like the approach you took with this subject. It isn't every day that you discover something so concise and enlightening.
p/s: Chat Roulette